Conficker.C primed for April Fool’s activation

Conficker has caused trouble for months since it appeared in late 2008, and a …

We've been tracking the Conficker worm since it launched itself into the wild last November; despite the best efforts of security officials worldwide, the worm still hasn't been completely crushed. The original flavor and its nastier follow-up (Conficker.A and Conficker.B) have been locked down, but the worm's creators have a third version (Conficker.C, naturally) prepared to hit the tubes come April 1. The new "C" twist won't have all of the tools "B" used to replicate, but it will be able to detect and kill certain system processes designed to find and remove it.

Ars spoke with Don DeBolt, CA's Director of Threat Research, to get some additional information on Conficker.C, its threat profile, and why the gosh-darned thing isn't dead yet. CA (formerly Computer Associates) has published an extensive guide to Conficker.C, which includes information on its attack vectors, behavioral analysis, and how to tell if the "C" variant of Conficker is running on your system. This last part could pose a challenge—unlike previous versions, C adopts what DeBolt refers to as a "defensive stance" and throws up a number of roadblocks, all of which are aimed at hindering user detection of the worm.

The security industry was collectively able to put the brakes on Conficker.B's expansion when they managed to reverse-engineer the virus and determine which domains it would attempt to register and dial home to on particular dates. With Conficker.A and B, the worm chose to contact 32 addresses out of a possible 250 on any given attempt. With their algorithm broken, the malware authors went a step beyond updating their randomization/selection code—they also vastly increased both the number of domains the worm could generate as well as the number it will randomly select. Conficker.C will select 500 domains out of a randomized pool of 50,000 instead of the previous 32/250.

This will drive up the cost of operating the botnet (we've previously covered how vulnerable malware networks can be to changes in their cost structure) but will also significantly increase the cost of attempting to monitor and prevent botnet registrations, even once the randomizing algorithm has been broken.

Once installed, Conficker.C implements a variety of nasty behaviors. The worm will attempt to disable Windows Automatic Update and stop access to the Windows Security Center, can detect and kill SysInternals' Process Explorer program, and will interfere with the operation of a number of other search-and-destroy programs including WireShark and SysClean.

It will also reset and delete system restore points, disable various services (including WinDefend, BITS (Background Intelligent Transfer Service) ERSvc (Error Reporting Service) and WerSvc (Windows Error Reporting Service, Vista-only). In a final fit of pique, Conficker.C will prevent any attempt to connect to a variety of antivirus software services or websites. This behavior is nothing new to malware in general, but it's the first time we've seen it from our Conf(l)ickt-causing little friend.

The security industry's battle against Conficker is unlikely to resolve this go-round—we'll probably see at least a "D" variant before this is done—but DeBolt believes the coordinatedresponse and organized counter-attack from Team White Hat has dramatically retarded the virus' ability to infect new systems. In the meantime, Romanian researchers from BitDefender have released a tool that should remove Conficker, though it's not clear if this will clean versions A, B, and C, or just the first two.

Yeah, what's with a "sneak peek" at a worm that is "scheduled for release" in April...?

Anyway, all the bits about how it automatically kills processes... well, that's annoying, but in a way it's also almost reassuring. Makes it much easier to spot the fact that you HAVE the damn thing.

My personal nightmare is the "stealth worm" that doesn't abuse the living hell out of your resources or kill processes, but just resides there and does things frugally, making your machine do things you don't really want it to without tipping its hand to make it easy to spot that it's there in the first place. ::shudder::

I was infected with this last week after *one* click off Google News (eCanadaNow*). It used a combination of the PDF exploit plus javascript to install itself, crash the browser, and start running.

I've removed lots of malware before but this was the trickiest little devil to get rid of. It uses 4 or 5 ways to start up, monitors running processes, responds to attempts to remove it by making the system nearly unusable and except for the popups it generated did a very good job of masking itself from even being seen. It will even run in safe mode and injects itself into the code space of good system processes to avoid detection.

* eCanadaNow is basically an ad service with a few news articles thrown in on the side. How they were ever included in Google News is beyond me.

The ShadowYeah, what's with a "sneak peek" at a worm that is "scheduled for release" in April...?

Anyway, all the bits about how it automatically kills processes... well, that's annoying, but in a way it's also almost reassuring. Makes it much easier to spot the fact that you HAVE the damn thing.

My personal nightmare is the "stealth worm" that doesn't abuse the living hell out of your resources or kill processes, but just resides there and does things frugally, making your machine do things you don't really want it to without tipping its hand to make it easy to spot that it's there in the first place. ::shudder::

What makes you think these aren't out there already? And even more with modern multiprocessor systems. A nice worm that doesn't screw you over would probably stay on the system for most of its life just because no one suspects anything, or its not worth it to fix it.

Random nitpick - I realize you posted a link to a writeup of the worm, but it would be nice if you had mentioned at the bottom of the article a quick "Remember to update your OS with patch X to detect against infection" or "The following vendors have definitions that will detect it as of XYZ date", etc...

Oh, here comes the gratuitous Linux comment: I'm using Linux and don't have to worry about this round of this Winders virus.

And a good observation of an irony in this whole thing from a previous commenter: how do they get a preview of an upcoming virus? Do they get submissions like Phoronix gets preview hardware? Just a thought.

My personal nightmare is the "stealth worm" that doesn't abuse the living hell out of your resources or kill processes, but just resides there and does things frugally, making your machine do things you don't really want it to without tipping its hand to make it easy to spot that it's there in the first place. ::shudder::

You have nightmares about sitting in front of a computer that's running just fine and behaving perfectly, by all appearances?